Lecture 4 pt. 3 Flashcards
What are End Device Logs useful for?
Network security analysis.
What types of logs can be produced by host devices?
- Host logs (Windows, Linux, Mac)
- HIDS
- CLI Logs
- SYSLOG Server Logs
- SIEMs
How can Microsoft Windows host logs be accessed?
Through the Windows Event Viewer.
What are the four types of Event Viewer logs in Windows?
- Application logs
- Security logs
- Setup logs
- System logs
What do Application logs capture?
Events logged by various applications.
What do Security logs capture?
Security-related events such as logon attempts and file management operations.
What information do Setup logs capture?
Information about the installation of software, including Windows updates.
What do System logs capture?
Information about the installation of software, including Windows updates.
What are the five types of events produced by Windows logs?
- Error
- Warning
- Information
- Audit Success
- Audit Failure
What does an Error event indicate?
A significant problem, such as loss of data or functionality.
What does a Warning event indicate?
Not necessarily significant, but may indicate a possible future problem.
What does an Information event describe?
The successful operation of an application, driver, or service.
What is logged during an Audit Success event?
An audited security access attempt that is successful.
What is logged during an Audit Failure event?
An audited security access attempt that fails.
What are Host-based Intrusion Detection Systems (HIDS) logs?
Logs from individual hosts, such as servers.
What is the purpose of Command-line logs?
To log command line execution for visibility into incidents.
What is Syslog?
A client/server protocol for logging events to centralized syslog servers.
What are the three distinct parts of a Syslog message format?
- HEADER
- PRIORITY
- MESSAGE
What does a Severity level of 0 indicate in Syslog?
Emergency: system is unusable.
What does a Severity level of 1 indicate in Syslog?
Alert: action must be taken immediately.
What does a Severity level of 2 indicate in Syslog?
Critical: critical conditions that should be corrected immediately.
What does a Severity level of 3 indicate in Syslog?
Error: a failure that is not urgent, should be resolved within a given time.
What does a Severity level of 4 indicate in Syslog?
Warning: an error does not presently exist but will occur if the condition is not addressed.
What does a Severity level of 5 indicate in Syslog?
Notice: an unusual event that does not require immediate action.
What does a Severity level of 6 indicate in Syslog?
Informational: messages regarding normal operation.
What does a Severity level of 7 indicate in Syslog?
Debug: messages of interest to developers.
What is the purpose of IIS Access Logs?
To capture transactional data from web servers.
What is the significance of Apache Access Logs?
They are an essential source of data for network security monitoring.
What do DNS proxy server logs document?
All the DNS queries and responses that occur on the network.
